One of the most frequent security gaps is what is known as buffer overrun or buffer overflow. This basically involves damage which is caused by a buffer or a memory area of a program being filled beyond its boundaries. Data are written beyond the end of the buffer. Thus, the data which are relevant to program execution are overwritten. Some of the aforementioned attacks are based on the principle of writing an executable code to the stack, which is then executed and can cause errors which are in some cases serious.
Errors of this type arise predominantly in traditionally compiled programming languages, such as C+ and C++, since these languages do not offer automatic checking of access operations to fields and memory segments for performance reasons. Programming errors can also cause the aforementioned security problems by making inadequate requests for the boundaries of the fields which are written to the stack dynamically. A hacker can exploit this by feeding a hacking code into the local buffer which will be executed at a later time.
In the operating systems which are popular today (Windows 95 and above), each processor has its own logical address space. An area in this address space is taken up by a stack. When a program is started, the operating system usually creates three segments in the virtual memory: the code segment, the data segment (heap segment) and the stack segment. The stack is a buffer store for local variables, transfer parameters for functions and also for return addresses for subprograms. The stack starts at a defined address, principally at the end of the address space, and grows downward and on the basis of the last-in-first-out principle (LIFO buffer). Its size is mainly dependent on the recursion depth of the respective program. Possible instructions for editing the stack are the push and pop instructions for writing data to the stack and reading the data from the stack. In addition, it is possible to address individual stack elements directly.
During a hack, information is deliberately written to the stack beyond its end, so that the return address of a function is overwritten with a fed address. When the function has been executed, the program is therefore no longer able to return to the calling function, but rather jumps to the fed address. If the fed address is a randomly selected address, the program in question is usually merely terminated without causing further damage. If the fed address is a valid address in the program, the program is executed in manipulated fashion and hence incorrectly. Most attacks feed an address which refers to stack addresses onto which the hacking code has previously been loaded and hence can cause massive and extensive damage.
To be able to ensure protection against such attacks, it is known practice in systems from the prior art to use what are known as virus scanners, security updates and firewalls. A virus scanner uses the patterns known to it (code patterns for known viruses) to detect an attack. A drawback of this known solution is that the virus scanner works only when it has a pattern for the respective worm or virus so as to be able to trigger an alarm. That is to say that the patterns need to be constantly updated and their quality is dependent on the update level.
Security updates are normally modified operating system components which are provided by the manufacturer and repair security gaps which have already been detected. A fundamental problem of security updates can be seen in that the system basically has no protection in the time between release by the manufacturer and identification of the security gaps. In addition, another problem is that it is not possible to provide protection for security gaps which are not yet general knowledge, that is to say those which, although already known to a limited group of users, have not yet been listed.
Firewalls are active network communication components. They work in the manner of a barrier which passes on only particular network traffic. One difficulty of programming firewalls is not setting the firewall's barrier too high, so that the computer communication is restricted too much, and similarly not setting the barrier too low, which would result in an increased security gap.
In addition, it is known practice in Windows-based operating systems to resort to the processor technology. In this context, the processor technology from the company AMD provides what is known as the No-execute-Page-Protection processor feature (NX). The processor technology from the company Intel has a similar feature, known as the Execute-Disable-Bit-Feature. The 64-bit architectures in Windows support the aforementioned hardware, which provides an instruction rejection function (Data Execution Prevention, DEP). Stack and heap are marked as data by the Windows operating system. If an application now attempts to call a memory page marked as NX, the processor triggers an “exception”, which results in the triggering process being terminated or interrupted.
A fundamental drawback of this solution can be seen in that earlier applications are no longer able to work following installation of the Microsoft Service Pack. Earlier programs therefore may need to be completely revived, which entails a high cost risk. Furthermore, it is disadvantageously necessary to use a particular processor technology. Other computer architectures, particularly the 32-bit architecture, are therefore excluded from protection. A further drawback of this approach can be seen in that there is no protection for attacks which relate to memory segments other than the stack or the heap.